Currently, protocols exist and are in use to authenticate a user or device, referred to as a client, when the client connects to a network for the purpose of authorizing the use of network resources by the client. If the authentication is unsuccessful, then the network denies access to the client. In order to perform the authentication, the client exchanges authentication and perhaps other credentials with an authorization server (AS). The authorization server decides whether or not to admit the client to the network and then informs the network device to which the client is connected of that decision.
One well-established protocol for this exchange, for both wired (generally Ethernet) and wireless (generally 802.11) network access, is the IEEE 802.1X protocol. With the IEEE 802.1X protocol, the client exchanges credentials with the AS at a time the client connects to the network. To facilitate this exchange between the client and AS before access to the network is granted, the first network device connecting to the client acts as a relay, taking messages sent by the client and forwarding them to the AS, and taking messages from the AS and forwarding them to the client. The 802.1X protocol refers to this network device as the authenticator and refers to the client as the supplicant. The Remote Authentication Dial-In User Service (RADIUS) protocol is widely used for sending messages between the authenticator and the AS. As a result, the AS is usually also a RADIUS server.
The 802.1X protocol does not provide details of how the messages between the supplicant and AS are secured. The protocol does define an extensible protocol called the Extensible Authentication Protocol (EAP) for this purpose. Several EAP methods have been defined and are in use to secure communication between the supplicant and AS including EAP-FAST, EAP-TLS and PEAP. In all of these methods an encrypted, integrity-protected communication channel is established as the initial part of the 802.1X protocol exchange between the supplicant and the AS.
In addition to exchanging 802.1X protocol messages with the supplicant, the AS also exchanges RADIUS messages with the authenticator in order to inform, or provision, the authenticator with the configuration required for it to implement the resulting policy decision. Originally, the policy decision comprised a simple, binary permit or deny decision. However, with today's more sophisticated network uses and diverse client population, the policy decision can be a rich one, specifying complex access rules and also levels of service quality that should apply to messages to or from the client. Examples of policy that the authenticator might enforce include the VLAN to assign the client to, access control filters to apply to the clients packets, how much bandwidth to allocate to the client, and what priority to give the client's packets. Furthermore, this policy is often dynamically determined based on a multiplicity of factors such as location, time-of-day, and the type of client device.
In today's dynamic networks with their more sophisticated access control requirements, it is beneficial to provision the client with some of the policy decisions so that it can make decisions locally that match the level of access and level of service the network has authorized. However, there is currently no method for provisioning the client that does not require full network access or that uses the AS to determine the appropriate policy dynamically rather than a static configuration on the client itself or at a configuration server.
Therefore, it would be desirable to provide dynamic provisioning of a client with policy decisions or other information before network access is granted.